A Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) may be used to prevent automated software from performing actions, which degrade the quality of service of a given system, whether due to abuse or resource expenditure. A CAPTCHA may be used to protect a computer system from e-mail spam, such as the webmail services.
A CAPTCHA is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process typically involves one computer asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. A common type of CAPTCHA involves a user typing letters or digits from a distorted image that appears on the screen. For example, a checkbox that says “check here if you are not a bot” might serve to distinguish between humans and computers, but it is not a CAPTCHA because it relies on the fact that an attacker has not spent effort to break that specific form. Such “check here” methods are usually defeated relatively easily.
Because a typical CAPTCHA relies on visual perception, a user unable to view a CAPTCHA, for example, due to a disability or because it is difficult to read, may be unable to perform the task protected by a CAPTCHA. Accordingly, a site implementing a CAPTCHA may provide an audio version of the CAPTCHA in addition to the visual method.
Even an audio and visual CAPTCHA may require manual intervention for some users, such as those who have visual disabilities and are also deaf. Attempts at creating CAPTCHAs that are more accessible include the use of JavaScript, mathematical questions (“what is 1+1”), or “common sense” questions (“what color is the sky on a clear day”). However, they do not meet both the criteria of being able to be automatically generated and not relying on the type of CAPTCHA being new to the attacker.
Many CAPTCHA implementations are prone to common attacks. For example, a CAPTCHA may be defeated by exploiting bugs in the implementation that allow the attacker to completely bypass the CAPTCHA, improving character recognition software, or using cheap human labor to process the tests. Additionally, a user of a website offering free services may be asked to solve a CAPTCHA for another website before accessing the free services.
Some CAPTCHA implementations may use only a small fixed pool of CAPTCHA images. Eventually, when enough CAPTCHA image solutions have been collected by an attacker over a period of time, the CAPTCHA may be broken by simply looking up solutions in a table.
U.S. Patent Application Publication No. 2008/0009345 to Bailey et al. discloses a gaming system that uses a CAPTCHA to authenticate a user. Other references, such as U.S. Patent Application Publication No. 2009/0132424 to Kendrick et al., U.S. Patent Application Publication No. 2009/0153292 to Farb, and U.S. Pat. No. 7,552,467 to Lindsay disclose using a CAPTCHA to authenticate or verify a user. U.S. Patent Application Publication No. 2006/0047766 to Spadea, III discloses using a CAPTCHA to verify a sender of an email.
A CAPTCHA may be inconvenient to a user. For example, a user may be diverted from a particular task to enter the letters and/or the digits of the CAPTCHA. In many instances, the user may have to reenter the letters, or solve the CAPTCHA again during a period of inactivity, or when a user inadvertently uses a browser's back button. The same holds true when a user may request a bulk amount of data or make a large amount of requests, where each request may require completion of a CAPTCHA.